Deciphering Permissions: “Read Phone State and Identity”

Those of us that are wary about malware and viruses in software always say, “Read the permissions!”, meaning that you should really understand what you are giving the app permission to do when you install it. Google makes you click through an app’s security permission list when installing for a reason – so it’s not their fault if you allow an app to steal your information!

However, even though I’m a programmer myself, I still find myself installing apps with security permissions that I don’t fully understand! It’s not easy to know what all of the various mysterious-sounding permission names mean, so I decided it might be a good idea to dive in and find out what a few of these permissions really allow the app publishers to do and share that info here.

The first one I want to research is one of the most common: Phone Calls – Read Phone State & Identity. Why would a ringtone app need to know my phone’s unique identifier? Why would a wallpaper app need to know whether I’m in a call or not? What do phone state and identity really mean anyway?

The first place I looked for information was the Android SDK documentation – which is the reference material developers use when building their apps. The list of permissions was interesting, but not particularly enlightening. It said that “READ_PHONE_STATE” allows your app to access the state of the phone. OK, so what does that mean? Digging deeper, I found the various values for “phone state” listed here, which include “Call State – Ringing” and “Data Connected”. So, basically the app can tell whether you’re in a call or not and what the state of your data connection is.

But the more concerning part of the permission is the “identity” part. Allowing an app to track a phone’s unique identifier allows them to track your usage of the app, and allow a developer to know whether one person has downloaded several of their apps. Basically, it’s like letting Google track your search history: it may not know who you are exactly, but tracking your usage over time allows a company to build a profile of your individual activity.

It turns out that the main reasons developers give for needing this permission are:

  1. they need a way to assign a unique ID to you for registration/activation purposes, or
  2. they are using an advertising system like AdMob that requires them to use this permission so the 3rd-party advertiser can collect statistics.

Since most free app developers rely on advertising to fund their businesses, you can see why so many apps need this permission, but you also have to understand the trade-off: both the advertiser and the app publisher can track your usage of the app, and your usage across multiple apps if they collect all that data centrally (which advertisers definitely do).

This one is pretty tough to avoid, so I’d say just be especially wary of typically-suspicious apps (like ringtone apps) that use this permission and only install apps with this permission from developers you trust.

I rely a lot on the app’s marketplace rating to determine safety. Although it’s not a definite indicator (a developer could create a really great app and still use your information maliciously, or a developer with good intentions could just publish a really poor app), if I see an app with a really poor rating, especially if a developer has multiple apps with really poor ratings, I am suspicious that they may be spending too little time on improving their application because their reason for wanting you to download their app has nothing to do with its quality, they just want your information or ad impressions.

So, overall, keep your eyes open and uninstall apps that make you suspicious, but keep in mind that sometimes dangerous-sounding permissions are necessary for non-malicious purposes.

I do have a suggestion for Google, though – allow us to opt-out of individual permissions! If we download an app and find that it can run just fine without reading our “identity”, then we should be able to disable that “feature” of each app on an individual basis.

On a related note, I just heard about an app today called “Privacy Blocker” that claims to do just that, and I hope to review it here in the future!

What other permissions do you want us to explore here on WomenWithDroids? Let us know in the comments!

EmailGoogle ReaderTwitterFacebookTumblrDiggEvernoteDeliciousStumbleUponInstapaperPosterousRedditWordPressGoogle+Share

Related posts:

Organize.com Logo

2 Responses to “Deciphering Permissions: “Read Phone State and Identity””

  1. Angie says:

    This is GREAT information! I have been trying to figure this stuff out for myself for a bit now when I stumbled across this article. I haven’t looked this one up yet but I have an app that requests “Your Location” as a permission to update. This would be fine if it had something to do with my navigation app, but its a game where you find the differences in pictures! WTH!? Why in the world would THAT app need to access my location!? Another one I am worried about is my Pandora internet radio app. It needs an update but is requesting new permissions like “Network Communication(full internet access, create bluetooth connections…this last one I have a problem with), System Tools (modify global system settings, prevent phone from sleeping, bluetooth administration, change Wi-Fi state, change netowrk connectivity….almost all of these I have a problem with), Your Personal Information (Read contact data, add or modify calendar events and send email to guests…..WTF!!!??), and the one this article covers. I am not so sure I am willing to update this app and I may just delete it because of these permissions. I really wish the app developers would be less cryptic about the use of these permissions and as you said, why aren’t they required to make it an OPTION? Like the way many online programs try to spoon feed you Google Chrome or things of that nature but you can easily opt out by reading through before you download the program and uncheck the “Install this as well” box. I do have another question about these new permissions and updating an app. I know with other programs on a computer, some updates make the program run more smoothly or fix bugs, or even make security better. So my question is, are any of the app updates that are requesting all these new permissions geared in this direction? Is it possible you will be less secure or more prone to malicious attack on your phone if you have an app you regularly use, but don’t update it because of the permissions? I tend to err on the side of paranoia. Just because I’m paranoid, doesn’t mean there aren’t men in black suits out to get me, heh.

  2. Arly says:

    Nice article. Have you had any chance to review Privacy Blocker? I downloaded it due to privacy concerns. My cell number should not be available to just anyone. The unique device ID should be sufficient. Right now, the app seems to be a hit or miss. Sometimes it works and other times it fails. It’s on sale for $1.99. At this point, I’m glad I didn’t pay the normal price since it’s been a bit disappointing. I hope the dev fixes it. Funny thing is I’ve been searching for more info about this app and read a comment from another website asking “who is policing the police?” Since you’re a programmer you may have more insight to this.

    I read about the issue with Pandora. Their goal with target advertising has caused them to sell out…sell out personal info of their users. It left me wondering about all the apps out there that have access to read_phone_state and identity. It’s not a good thing when telemarketers call my mobile or send spam SMS.

Leave a Reply